The Cisco APIC supports both local and external authentication and authorization (TACACS , RADIUS, Lightweight Directory Access Protocol [LDAP]) as well as role-based administrative control (RBAC) to control read and write access for all managed objects and to enforce Cisco ACI administrative and per-tenant administrative separation. The Cisco APIC also supports domain-based access control, which enforces where (under which subtrees) a user has access permissions.

Question No: 32

What is accomplished when you install a bounce entry in a leaf?

Eliminate loops

Forward GARP packets

Redirect traffic to old VTEP destination

Redirect traffic to new VTEP destination

Answer: D

Explanation: Under a normal migration, when a VM moves due to vMotion onto a leaf that does not have those EPGs and VLANs programmed, the will be deployed immediately. vCenter/ESXI host will send a GARP to ACI, the old leaf will bounce traffic to the new location of the endpoint and traffic/learning will occur. The bounce entry will stick around for a bit (about 5 minutes) and then be removed. The EPGs, VLANs, and Default Gateway will be deployed as soon as the move is detected and there will be little to no downtime (i usually see 0-1 ping loss, most of the time just increased latency)

When a virtual endpoint is discovered, the policy is pushed and programmed to the leaf nodes based on resolution immediacy and instrumentation immediacy, respectively. In both cases, there is an immediate and on-demand (default) option that is defined when the VMM is associated on Cisco APIC. The on-demand option conserves resources and uses the reserved space in the policy content-addressable memory (CAM) when needed.

Resolution Immediacy

The first option to push a policy is immediately. All policies (VLAN, NVGRE, and VXLAN), bindings, contracts, and filters are pushed to the leaf node when the hypervisor physical NIC (pfJIC) is attached. With the on-demand option, policies are pushed to the leaf node when the pPJIC and vNIC are attached to the port group (EPG).

Deployment Immediacy

Deployment immediacy defines when the policy is programmed in hardware. If the immediate option is chosen, the policies are programmed in the policy CAM after they are received by Cisco APIC. The on-demand option programs policies in the hardware policy CAM only when reachability is learned through the data path.

Question No: 34

A shard is a unit of data. How many copies does each Cisco APIC shard have including the active shard?